McKinsey requires hiring an external pen-testing company to launch even to a small group of coworkers.
I can forgive this kind of mistake on the part of the Lilli devs. A lot of things have to fail for an "agentic" security company to even find a public endpoint, much less start exploiting it.
That being said, the mistakes in here are brutal. Seems like close to 0 authz. Based on very outdated knowledge, my guess is a Sr. Partner pulled some strings to get Lilli to be publicly available. By that time, much/most/all of the original Lilli team had "rolled off" (gone to client projects) as McKinsey HEAVILY punishes working on internal projects.
So Lilli likely was staffed by people who couldn't get staffed elsewhere, didn't know the code, and didn't care. Internal work, for better or worse, is basically a half day.
This is a failure of McKinsey's culture around technology.
McKinsey has a weird structure where there are too many cooks in the kitchen.
Everybody there is reviewed on client impact, meaning it ends up being an everybody-for-themselves situation.
So as a developer you have little guidance (in fact, you're still being reviewed on client impact, even if you have 0 client exposure).
Then a (Senior) Partner comes in with this idea (that will get them a good review), and you jump on that. After all, it's all you can do to get a good review.
You work on it, and then the (Senior) Partner moves on. But it's not done. It's enough for the review, but continuing to work on it doesn't bring you anything, in fact, it will actually pull you down, as finishing the project doesn't give immediate client results.
So what does this mean? Most products of McKinsey are a grab-bag of raw ideas of leadership, implemented as a one-off, without a cohesive vision or even a long-term vision at all. It's all about the review cycle.
McKinsey is trying to do software like they do their other engagements. It doesn't work. You can't just do something for 6 months and then let it go. Software rots.
The fact that they laid off a good amount of (very good) software engineers in 2024 is a reflection on how they see software development.
And McKinsey's people, who go to other companies, take those ideas with them. Result: The UI of your project changes all the time, because everybody is looking at the short-term impact they have that gets them a good review, not what is best for the project in the long term.
And if the latter is the case, then that sort of stamps the case closed from the get-go...
an absolutely wild statement to 99.9% of the world
I mean, it doesn't work for their consulting gigs either. There's a reason McKinsey has such a bad reputation.
It’s really about bypassing the existing power structure of the company. Competence of the work itself is a secondary objective. Most in-house initiatives can be slow rolled by management.
The fresh faced consultant with 2-3 steps to access the CEO neutralizes that. It seems grifty but is really exploiting bugs in corporate governance.
The current fad of firing the managers is a riff on this. Every jackass C-level is coming up with the novel idea of flattening.
Pre-AI, I always said McK is good at analysis, if you need complicated analysis done, hire a consulting firm.
If you need strategy, custom software, org design, etc. I think you should figure out the analysis that needs to be done, shoot that off to a consulting firm, and then make your decision.
IME, F500 execs are delegation machines. When they wake up every morning with 30 things to delegate, and 25 execs to delegate to, they hire 5 consulting teams. Whether you hire Mck, or Deloitte, or Accenture will only come down to:
1. Your personal relationships
2. Your company's policies on procurement
3. Your budget
in that order.
McK's "secret sauce" is that if you, the exec, don't like the powerpoint pages Mck put in front of you, 3 try-hard, insecure, ivy-league educated analysts will work 80 hours to make pages you do like. A sr. partner will take you to dinner. You'll get invited to conferences and summits and roundtables, and then next time you look for a job, it will be easier.
1. How do I build a datacenter
2. How is the industrial ceramic market structured, how do they perform
3. How does a changing environment impact life insurance
Strategy:
1. Should I build a datacenter
2. Should I invest in an industrial ceramics company
3. Should I divest my life insurance subsidiary
Specifically in the software world this would be "automate some esoteric ERP migration" or "build this data pipeline" vs. "how can we be more digital native" or "how do we integrate more AI into our company"
It has to be some kind of higher level protection racket or something. Like if you hire the consultants there is some kind of kickbacks to the higherups or something with more steps involved where those who previously opposed it will now accept it if it's rubberstamped by the consultants.
Or perhaps those other players who are politically opposing this person are just dummies and don't know about this trick and actually trust the consultants. Or maybe it's a bit of a check, that you can't get anything and everything rubberstamped by the consultants, so it is some kind of sanity filter that the guy isn't proposing something that only benefits himself and screws everyone else.
And if it's the latter, then it is genuine value, a somewhat impartial second opinion. Basically there is a fog-of-war for all the execs regarding all the internal politics going on, it's not like they see through everything all the time and simply refuse to take the obviously correct decision for no reason.
McKinsey challenges graduates to use AI chatbot in recruitment overhaul: https://www.ft.com/content/de7855f0-f586-4708-a8ed-f0458eb25...
And require a chatbot to be used that can be easily gamed by asking a model of how best to navigate it lol.
Implementing the past of AI practices is requesting something that will be easily outdone.
They look to package up something and sell it as long as they can.
AI solutions won't have enough of a shelf life, and the thought around AI is evolving too quickly.
Very happy to be wrong and learn from any information folks have otherwise.
Many, many, many companies are very happy with the consulting firms they hire.
Of course, those are the consulting firms that aren't publicly traded and in the news all the time (for all the wrong reasons).
I was expecting prompt injection, but in this case it was just good ol' fashioned SQL injection, possible only due to the naivety of the LLM which wrote McKinsey's AI platform.
I thought we might finally have a high profile prompt injection attack against a name-brand company we could point people to.
https://media.ccc.de/v/39c3-skynet-starter-kit-from-embodied...
> [...] we also exploit the embodied AI agent in the robots, performing prompt injection and achieve root-level remote code execution.
I guess you could argue that github wasn't vulnerable in this case, but rather the author of the action, but it seems like it at least rhymes with what you're looking for.
These folks have found a bunch: https://www.promptarmor.com/resources
But I guess you mean one that has been exploited in the wild?
In this case, a group of pentesters used an AI agent to select McKinsey and then used the AI agent to do the pentesting.
While it is conventional to attribute actions to inanimate objects (car hits pedestrians), IMO we should be more explicit these days, now that unfortunately some folks attribute agency to these agentic systems.
You're doing that by calling them "agentic systems".
You're trying to redefine long standing definitions for God knows what reason.
That's important. Cloudwall isn't really saying they have some secret sauce here, but it's noteworthy who they nabbed.
Not exactly the word on the street in my experience. Is McKinsey more respected for software than I thought? Otherwise I'm curious why TFA didn't just politely leave this bit out.
Hello Gemini
https://simonwillison.net/guides/agentic-engineering-pattern...
Grammar check, typo check, calls you out on factual mistakes and missing links and that's it. I've used this prompt once or twice for my own blog posts and it does just what you expect. You just don't end up with writing like this post by having AI "assistance" - you end up with this type of post by asking Claude, probably the same Claude that found the vulnerability to begin with, to make the whole ass blog post. No human thought went into this. If it did, I strongly urge the authors to change their writing style asap.
"So we decided to point our autonomous offensive agent at it. No credentials. No insider knowledge. And no human-in-the-loop. Just a domain name and a dream."
Give me a fucking break
Like who cares? Is there really some nostalgia for a time before this? When reading some press release from a cybersecurity company was akin to Joyce or Nabakov or whatever? (Maybe Hemingway...)
We really gotta be picking our battles here imo, and this doesn't feel like a high priority target. Let companies be the weird inhuman things that they are.
Read a novel! They are great, I promise. Then when you read other stuff, maybe you won't feel so angry?
But then after you read the exact same structure a dozen times a day on the web, it becomes like nails on the chalkboard. It's a combination of "too much of a good thing" with little variation throughout a long piece of prose, and basic pattern recognition of AI output from a model coalescing to a consistent style that can be spotted as if 1-3 human ghost writers wrote 1/4 of the content on the web.
- understanding existing systems
- what the paint points are
- making suggestions on how to improve those systems given the paint points
- that includes a mix of tech changes, process updates and/or new systems etc
Now, when it comes to implementing this, in my experience it usually ends up being the already in place dev teams.
Source: worked at a large investment bank that hired McKinsey and I knew one of the consultants from McK prior to working at the bank.
I don't view them as top-tier experts in their own right, whether it be statistics or technology, but they have a knack for corporate maneuvering. I often question their overall value beyond the usual "hire the big guns to legitimize a change" mentality. Maybe a useful tradeoff? I'd rather see herd-like adoption of current trends than widespread corporate ignorance and insularity.**
A huge selling point for M&Co is kind of a self-fulfulling prophecy based on the access they get. This gives them a positive feedback loop to find the juiciest and most profitable areas to focus on.
For those who know more, how do my takes compare?
* I interviewed with them over 15 years ago, know people who have worked there, and I pay attention to their reports from time to time.
** Of course, I'd rather see a third way: cross-pollination between organizations to build strong internal expertise and use model-based decision making for nuanced long-term decisions... but that's just crazy talk.
and
> they have a knack for corporate maneuvering
One way to view this is that the above combination of skills is both rare and very useful. That means it's expensive. So instead of hiring someone like that at "full rate" and keeping them around, you can "borrow" them from McK to solve a problem your regular crew can't (or isn't able to) for various reasons.
Plus, as one manager of mine said many years ago:
"We use consultants b/c they are both easy to hire AND easy to fire"
Like everything it’s just marketing.
Depends on the street you're on. Are you on Main Street or Wall Street?
If you're hiring them to help with software for solving a business problem that will help you deliver value to your customers, they're probably just like anyone else.
If you're hiring them to help with software for figuring out how to break down your company for scrap, or which South African officials to bribe, well, that's a different matter.
Many enterprise tools were designed assuming human interaction, where authentication flows, manual reviews, and internal processes add implicit safeguards.
But once you introduce autonomous agents that can systematically probe endpoints, missing authorization checks or misconfigured APIs become much easier to discover and exploit.
I suspect we’ll see a growing need for automated validation layers that continuously test internal AI tools for access control, data exposure, and unintended behaviors before they’re widely deployed.
Edit: Apparently, this is the CEO https://github.com/eth0izzle
Ah. Thanks for the link. I'm suspicious of everything posted to a blog without proof these days.
I assume that means McKinsey would need to disclose it, or at least alert the former employees of the breach?
Well, there you go.
If your data is in this database, it's gone. Other people have it. Your sensitive data that you handed over to their teams has vanished in a puff of smoke. You should probably ask if your data was part of the leak.
Fail to see how a state actor would not have come across this already.
They’ve long been all hype no substance on AI and looks like not much has changed.
They might be good at other things but would run for the hills if McKinsey folks want to talk AI.
Going out of their way to find a woman's name for an AI assistant and bragging about it is not as empowering as the creators probably thought in their heads.
Surely this should all have been behind the firewall and accessible only from a corporate device associated mac address?
Like that ever stopped anyone. That's just a checkbox item.
Traditional application security assumes fairly predictable inputs and workflows, but LLM-based systems introduce entirely new attack surfaces—prompt injection, data leakage, tool misuse, etc.
It feels like many enterprises are still treating these systems as just another SaaS product rather than something closer to an autonomous system that needs a different threat model...
> No credentials. No insider knowledge. And no human-in-the-loop. Just a domain name and a dream.
It just sounds so stupid.
Two word sentences, each one on a new line.
Does anyone know for sure?
> 46.5 million chat messages. From a workforce that uses this tool to discuss strategy, client engagements, financials, M&A activity, and internal research. Every conversation, stored in plaintext, accessible without authentication.
> 728,000 files. 192,000 PDFs. 93,000 Excel spreadsheets. 93,000 PowerPoint decks. 58,000 Word documents. The filenames alone were sensitive and a direct download URL for anyone who knew where to look.
I'm sure lots of very informative journalism could have been done about how corporate power actually works behind the scenes.
> No credentials. No insider knowledge. And no human-in-the-loop. Just a domain name and a dream. ... Within 2 hours, the agent had full read and write access to the entire production database.
Having seen firsthand how insecure some enterprise systems are, I'm not exactly surprised. Decision makers at the top are focused first and foremost on corporate and personal exposure to liability, also known as CYA in corporate-speak. The nitty-gritty details of security are always left to people far down the corporate chain who are supposed to know what they're doing.
You'd think that the world's "most prestigious consulting firm" would have already had someone doing this sort of work for them.
Being able to rewrite your own source. What's the worst that could happen?